Guest

Preview Tool

Cisco Bug: CSCvt52051 - IPsec tunnel is getting established for a backup NHS DMVPN hub

Last Modified

Sep 14, 2020

Products (14)

  • Cisco IOS
  • Cisco ASR 1000 Series IOS XE SD-WAN
  • Cisco 4221 Integrated Services Router
  • Cisco 4321 Integrated Services Router
  • Cisco ASR 1002-X Router
  • Cisco 4331 Integrated Services Router
  • Cisco ASR 1001-X Router
  • Cisco 4351 Integrated Services Router
  • Cisco ISR 4000 Series IOS XE SD-WAN
  • Cisco ISR 1000 Series IOS XE SD-WAN
View all products in Bug Search Tool Login Required

Known Affected Releases

16.6.7 16.9.4

Description (partial)

Symptom:
Spoke establishes the IPsec tunnel to the backup NHS. Because backup NHS is not used for NHRP, tunnel shortly after goes down. In scaled setups this can lead to high CPU usage on the backup NHS server caused by "Crypto IKEv2" process. "SNMP Traps" process can also introduce high CPU usage if below options are enabled

snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop

Conditions:
- There's a traffic to the backup NHS server initiated from the spoke, for example through the IP SLA icmp-echo probe.
- backup NHS server is Waiting state (show ip nhrp nhs) due to "ip nhrp nhs cluster X max-connections 1" configured

for example:

interface Tunnel1
 ip address 192.168.0.3 255.255.255.0
 ip nhrp nhs 192.168.0.1 nbma 10.0.0.1 multicast priority 1 cluster 1
 ip nhrp nhs 192.168.0.2 nbma 10.0.0.2 multicast priority 2 cluster 1
 ip nhrp nhs cluster 1 max-connections 1
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.